Re: [Ntp] Tsvart last call review of draft-ietf-ntp-port-randomization-06

Hal Murray <> Fri, 26 February 2021 12:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9839B3A14A3; Fri, 26 Feb 2021 04:35:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.046
X-Spam-Level: *
X-Spam-Status: No, score=1.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_DYNAMIC_IPADDR=1.951, PDS_RDNS_DYNAMIC_FP=0.01, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bSFSJO2x-ga6; Fri, 26 Feb 2021 04:35:07 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 93CBA3A14A2; Fri, 26 Feb 2021 04:35:06 -0800 (PST)
Received: from shuksan (localhost []) by (Postfix) with ESMTP id 4DA8140605C; Fri, 26 Feb 2021 04:35:03 -0800 (PST)
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3
To: "Brian Trammell (IETF)" <>
cc: Fernando Gont <>,,,,,
From: Hal Murray <>
In-Reply-To: Message from "Brian Trammell (IETF)" <> of "Fri, 26 Feb 2021 11:04:50 +0100." <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 26 Feb 2021 04:35:03 -0800
Message-Id: <>
Archived-At: <>
Subject: Re: [Ntp] Tsvart last call review of draft-ietf-ntp-port-randomization-06
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Feb 2021 12:35:09 -0000 said:
> Are there any known firewall/NAT deployments that require 123/123 on both src
> and dst to recognize NTP? Is there anything a port-randomizing NTP speaker
> can/must do to detect and react to this situation (even if that's throwing up
> an error message and asking the kind human looking after the thing to please
> unbreak their firewall)?

There is nothing in an NTP packet that needs tweaking by a NAT box other than 
the obvious return address.  So there is no reason to recognize it as an NTP 

More details than anybody wants to know...

There was/is(?) Autokey, RFC 5906, an early attempt at public key 
authentication.  It didn't work through NAT because the client IP Address was 
tangled up in the crypto.  I don't think anybody uses it.  We removed support 
from NETSec.  But who knows what unattended code is still running in some 
dusty corner.

Some of the mode 6/7 subcommands use a cookie to prevent DDoS amplification.  
The client doesn't know anything about the contents of the cookie.  The cookie 
includes a hash of the clients IP Address but that works through NAT as long 
as the client uses the same NAT box to both request and use the cookie.

NTS uses cookies, but there is nothing about the IP Address included in the 
cookie.  We discussed adding the IP Address.  I have forgotten exactly why.  
Probably to avoid reflection attacks.  We decided not to do that.

These are my opinions.  I hate spam.